January 6, 2011

May 5, 2009

For some reason users of social networks appear surprised by the rate at which phishing attacks are appearing on social networks like Facebook. There is the belief among computer users that they can run from one platform, like e-mail, to the next platform, like social networking, to escape preexisting security problems. Much like social problems in the real world, movement to a new electronic location will provide only a temporary respite from endemic social ills. Rather than allowing their population to depart due to a perception of a lack of security, social networks need to make a two pronged attack at reducing their users vulnerability to phishing attacks.

The first prong consists of attempting to improve issues at what is known as the "layer 8", or the human interaction layer. This consists of giving users clues as to what is good content and what is questionable content. For example, social networks can warn users when they are leaving the safety of the network's walled garden and are clicking on a link that has not been explicitly vetted. They can also alert users when there is an increased risk of phishing or malware attacks based upon recent activity, and make this indicator a predominant UI element that appears when links are activated.

The second prong involves the continual improvement of technology for the prevention of in-network phishing attacks. All of the major players have a security team that is already in place to address issues as they come up. Truth be told, these guys are actually doing a pretty decent job as it is right now. These teams are far more empowered to fix problems in their network than you will ever see in almost every other part of the computing world. They have complete control of the internal architecture, and are not bound by standards bodies on how they handle messaging or communication between those systems. Social networks have been able to combat abuse mostly by taking full advantage of all the information they have at their disposal regarding their users, including the IP address they are connecting from and a full record of their behavior inside the network. Nevertheless, phishing is a hard problem, and several of the social networks are going down the path of employing third-party solutions to address the issue.

Without a combination of user education and appropriate technology, participants will end up moving to location to location in search of a completely abuse free environment. Much like many of the problems that society faces, however, the residents of a social network are enabling the attackers to take advantage of them, and as a result make it far more difficult to eliminate the problem. If individuals didn't fall for phishing attacks, then the phishers would leave the platform altogether. Sadly, once phishers' appetites have been whet by a few successes, they are unlikely to depart anytime soon.

April 30, 2009

Not that there is any reason to say this, but it is possible that a significant portion of the workforce will be either absent or working from home in the next few months. This could mean opening up the corporate network to far larger numbers of telecommuters whose systems may be in various states of security disrepair. IT managers should be planning on how give secure access to the corporate network to a batch of relatively untrained employees.

If you don't work in the IT department, the story is pretty simple. Get your laptop set up to connect to your work network if it cannot do so already. Laptops that are primarily home systems should be reformatted and installed from scratch if there is any concern that the machine may contain malware; just because you aren't going to work sick doesn't mean your system should.

For those of you who do work in the IT department, well, I don't envy the job ahead of you. If your network wasn't de-perimeterized before, it will be soon, whether you like it or not. Not only do you need to prep employees' personal systems to connect to the corporate infrastructure, you also need to educate them on the risks of bringing a relatively-unclean personal system into the corporate environment. Given that home systems are not nearly as well looked-after as corporate systems, you also are going to be dealing with all the infections that your employee's home PCs will be bringing past the firewall and NAT systems and into the core network.

There aren't too many recommendations I can make that aren't common sense. For example, you can distribute more laptops to employees who don't have them. Also, you should consider extending the corporate licenses for the anti-virus products to the home systems of employees who do not possess a company-managed PC but will be expected to work remotely.

Plans similar to the one described above should be in the dusty business continuity plans that many organizations created in late 2001. It's time to update them and get ready to put them to practice.

For both individuals and businesses, determining the impact of getting owned begins with listing all the things that you use that are own-able, and then determining a risk mitigation strategy, a containment strategy, and a recovery strategy for each system. These all boil down to a series of "what if" questions that anyone can think through. For the average user, the set of systems that can be compromised includes, but is not limited to, all physical systems, backup mechanisms, and hosted services like e-mail and social networks.

We start from the most "distant" system inwards -- the hosted services. How can an individual's hosted accounts become compromised? The easiest way an attacker could compromise your account is through weak passwords or by sniffing passwords off the wire; therefore, we can reduce the risk of compromise by using strong passwords for our accounts and not accessing them from public access terminals and insecure wireless networks. If you are using a weak password on one site, it is entirely likely you are using a weak password elsewhere. Preventing the attacker from hopping from one hosted account to another can be as simple as using a strong and unique password on every site you access. It isn't just access to the data we should be concerned about. If the service is compromised, it is possible that everything in the account could be deleted, in which case having a backup of, say, all blog posts and all e-mail transactions would be required to get back up and running.

Let's say that the attacker has moved beyond our hosted account and either remotely compromised our physical system or actually stolen the hardware. In both cases, we should expect that all of our unencrypted data is accessible to the world. Both scenarios necessitate file-by-file encryption and a combination of physically secured on-site or off-site backups. A remote compromise would be a far worse situation: even though you don't lose the hardware, the attacker has the opportunity to capture passwords used for hosted services as well as financial accounts. The only way to limit your exposure here is to use cryptographic key fobs (like a SecureID token) and hope they aren't controlling the entire session.

Ultimately the only way to minimize the impact of a compromise is to assume that all of your data is compromised and consequently reduce the amount of data you either keep accessible to content that would not be devastating if it was leaked. In other words, never commit anything to bytes that you don't want your spouse, children, parents, or coworkers to see; the data may only be a single attack away from leaking out into the ether.

When the media claims that the electric grid is compromised out the wazoo, it is important to know what exactly is compromised. We can break down the target systems into two classes, specifically non-critical and critical. The non-critical systems consist of desktops and laptops belonging to the administrative, operational, and executive staff of the firm. Anyone who provides statistics showing the percentage of total systems that are known to be compromised at a power plant is likely only providing statistics on these non-critical systems. It would be foolish to suspect that these figures are going to be any different than any other similarly-sized enterprise. Also, while the number of compromised non-critical systems is a proxy indicator for the general security posture of the firm, but it does not tell us anything concrete about the other class of systems.

The far more important question is how many of the systems that are directly attached to industrial hardware are compromised. A compromise of a desktop or a server that is connected to a controller or a process control monitor could directly lead to blackouts and equipment destruction. Remotely enumerating these critical systems is extremely difficult, and determining their level of compromise without the explicit support of the power industry is almost impossible. Therefore, getting a third-party verification of the "power systems are compromised" story is not achievable at this time.

I am not saying that the power grid is secure or insecure. I am saying, however, that we must cast a critical eye to these stories to make sure we don't fall victim to the fear-mongering that permeates all too many security stories.

April 19, 2009

The technical media is all a twitter over what appears to be the emergence of the first mac botnet. The infector appears to be an updated version of a trojaned version of iWork that popped up earlier this year. Anyone who has worked as a Windows virus analyst would scoff at the relatively unsophistication exhibited by the malware, but nevertheless, it is a piece of malware, and it is out there. I wanted to take this opportunity to answer some of the most common questions people have about mac malware.

Does this mean that Mac users should rush to buy anti-virus software and expect their machines to end up as compromised as a PC? Probably not, but soon. For now, as long as you aren't downloading pirated software you are safe.

Does this mean mac malware is going to become endemic? Yes. If no one is running anti-virus, then there is nothing to clean up infected systems beyond end-of-life hardware replacement. Given the state of the economy and mac hardware longevity, that can take a very long time.

Does this mean we hit the mac malware tipping point? That I don't know. We can't say that we have reached the mac malware tipping point unless we come up with a definition for the tipping point itself. Dino Dai Zovi and I have been kicking around a potential "warning sign" that, when seen, indicates we are now in the mac malware epidemic state. Our current preferred indicator is the emergence of websites that perform drive-by exploits of the browser to install botnet-controllable malware, regardless if the exploit is a zero-day attack or not. In other words, when we see what happens every day on the PC side happen once on the Mac side, then we all need to run out and buy anti-virus software.

Some time ago you predicted that mac malware would hit its tipping point at 15%. Does this mean you are wrong? Well, my prediction was based on the difficulty to attack a PC versus the market share of a Mac. I assumed that the difficult of attacking a PC was strictly defined by the effectiveness of current anti-virus products on a new piece of malware. My back-of-the-envelope estimate put an attacker's success rate at compromising a PC at around 20%, which meant that Macs would have to around 16% market share before they attract the attention of serious malware authors. If the real success rate of an attacker is lower, then you should expect a mac malware epidemic far earlier. So the answer is: maybe I'm wrong, but I don't know yet.

In short, the story for mac malware hasn't changed this week contrary to popular opinion. However, as both users and as information security professionals, we need to remain vigilant and watch for the tipping point in mac malware, and use that as the trigger to install Mac AV software.

April 11, 2009

There is only one security problem that the average consumer will get visibly angry about, and that is spam. Well, that and identity theft, but spam ranks pretty far up there. When I tell people I work in anti-spam as my day job, I get a pat on the back and a comment about how they can't believe how much spam there is in their inbox. To reinforce what we already know, security companies publish statistics claiming that, depending upon the day of the week, 85% to 95% of all e-mail is spam. While this number is seemingly unbelievable, I can guarantee that it is correct. How did we get to the point that approximately 9 out of every 10 e-mails is spam? Paradoxically, the reason why we have so much spam is because our anti-spam is so incredibly effective today.

To understand why this number is not really that shocking, it is helpful to think of spam not as a singular entity but as a living, evolving creature that has responded to spam filters in new and unique ways. Let's imagine you are at a cocktail party in a nearly-full room with a number of people having a good time. As the evening progresses, the ambient noise in the room gets progressively louder. People respond to the increasing loudness in the room by straining their voices, and eventually the room is a 70dB cacophony of random chatter. The same kind of relationship exists between spam filters and spammers.

Spammers want to be heard, and will accept a certain rate of response to their content. Before the days of ubiquitous spam filters, they would generate content at a far lower rate, since they were getting responses at that rate. As decent spam filters became standard operating equipment on the Internet, the spammers needed to change their game to continue being heard. They did this by mutating their content and sending spam from more locations, resulting in a higher rate of delivery attempts. Again, anti-spam responded with better filters that looked at both content and the IP address of the send systems, and the spammers responded in kind by pushing their mutation rates and transmission rates further up, thus leading to these almost unbelievable spam rates.

If you are a home user, you shouldn't really need to think about this too much. Your ISP or your free webmail provider has to do at least a halfway decent job of filtering spam at this point. If your provider didn't do a good job, then they would have to over-provision their mail servers and mail stores by a factor of 10 or so. E-mail is a pretty cost-conscious business, and this kind of outlay would put them out of business. If your ISP is completely dropping the ball or you have a small business domain that is getting inundated with spam filtering, either call up the domain hosting company and complain or buy a desktop anti-spam product.

I am not trashing the MMBA (Malware MBA)'s ability to extract money from criminal activities. There really are only a handful of ways malware authors have shown they can successfully make money: they can sniff keystrokes, send spam, DDoS websites, or re-sell access to their software and machines to do the same work. However, for all the hype that surrounded the worm I expected something far more sophisticated.

The story for the average consumer is pretty basic. First off, you should not be using any anti-virus software that magically pops up on your system that you have never heard of before. If you are reading this website, chances are you already know this. The spam engine sounds like a ripoff of older technology, so we should expect no dramatic shift in spam mutation techniques. We should expect an increase in spam delivered to people's inboxes due only to the increase in the volume of spam transmission attempts.

Then again, while it is unprofitable, tomorrow the Conficker writers could push down a DDoS package and melt the Internet. This isn't alarmism, it is just what is possible when a single group controls a very large botnet.

March 30, 2009

After seven months of blogging at ZDNet, I am back to the personal blog. The fall-off in advertising revenue across the media space has necessitated cutbacks, and my spot on the security beat was axed.

I won't stop generating content, but I am not quite sure where it will be hosted right now. I will update you as soon as I find out.